The Cyber Security Quagmire

THE tragedy of September 11th ushered in a paradigm shift in security. The financial sector's mantra, subsequent to that dark day, was to focus efforts on business continuity and resiliency. Headquarters were backed up to data centers at least 30 miles away and remote access was increased tenfold so as to limit the impact of a terrorist attack. The sector-wide effort to manage the risk posed by physical attacks created an environment wherein once secure operations facilities, which had a single point of access from an IT perspective, now had hundreds of points of virtual ingress. The environment of financial institutions had thus become spider-like. It is this new environment-based upon the valiant initiative of business continuity - wherein technology risk has been exacerbated. The business continuity movement has created a cybersecurity quagmire. The current externalities associated with business continuity are systemic and severe.

In recent years the suspicious activity reports per computer intrusions within financial institutions have grown exponentially. The FDIC Technology Incident Report of 2007 noted three disturbing trends: The number of computer intrusion SAR filings are growing at a fast pace. The estimated mean loss per SAR almost tripled during the prior year.

Unknown unauthorized access was the most frequently identified type of computer intrusion: meaning the FI could not or did not identify how the intrusion occurred-followed by ID theft or account takeover. Spear phishing (when end users with high computer access levels are targeted) was also cited in several sampled computer intrusion SARs.

The 2008 Verizon Business Data Breach report noted that 39 percent of breaches occurred as a result of business partners. These trends illustrate how remote users and third parties- who provide Web hosting, data warehousing and/or business continuity services create increased operational risk.

Most backup facilities and outsourcing arrangements contain serious gaps in security. These gaps have remained persistent due to the lack of regular penetration tests of those networks. In July of 2001, a major hosting company in Atlanta suffered a significant data breach. As a result, 300 banks' networks and users were compromised. This event illustrated the systemic risk associated with outsourcing critical functions and the expanding target for cyber-infiltration.

Critical Gaps

There are three critical gaps created by the new security paradigm. First is Web application and Web service vulnerabilities; many of these operations are over-reliant on their portals and thus have become susceptible to SQL injection, cross-site scripting and other Web service attacks. Second is remote user compromise-telecommuting begets risk. The exponential expansion of remote access has created two phenomena: Hackers are now attacking the wireless transmission layer and spear phishing attacks (client side attacks) have increased exponentially. One must note that VPNs are merely tunnels whose water can be polluted. Devices enter and leave a network many times per day. A rogue device can bring down a network and the remote user population is the weakest link in the security chain. Assessing their susceptibility to spear phishing as well as determining whether those devices are hardened is paramount when managing today's technology risk.

Finally, our incident response strategies are untested and unrefined. For years FI incident response plans have been rarely tested and have been focused on virus outbreaks rather than targeted, staged attacks. The time has come for FIs to black box penetration test the effectiveness of their incident response plans for not only the primary network but also the backup facility and third-party networks upon which they are dependent.

Proper oversight

SAS 70s are outdated. Please note that passing a SAS 70 audit does not suffice. The modern day hostile environment of the Internet coupled with staged attacks and zero-day exploit code is not addressed in SAS 70 guidance whose checklist was developed in the 1990s.

The following should serve as a benchmark for proper risk management of third parties.

First, verify that the legal requirements to which the service provider is contractually obligated are compatible with the bank's definition of adequate security.

Second, identify who in the service provider organization is responsible for security oversight (e.g., CSO or CISO) and their information systems security policy. Review their incident response plan prior to movement of data or provision of service. Confirm that their policies and agreements regarding security breaches include customer notification on a timely basis (within one hour). Maintain the right to test their incident response plan on an annual basis. Confirm that the service provider has adequate backup facilities that are regularly tested for vulnerabilities.

It's essential that on a quarterly basis FIs should conduct penetration tests on service providers-these tests should assess their network security posture, and verify whether they have layered security beyond firewalls, virus scanners and encryption. (NIST 800-53A Appendix G serves as excellent guidance on this matter). Note: These audits should be conducted after security breaches as well.

Finally, demand that your confidential customer data be segregated from other client data.

Situational awareness of the aquatic nature of financial institutions' network vulnerabilities is essential. The Internet has grown evermore hostile. Cyber infiltration via remote user compromise and/or third party compromise is the number one threat facing FIs. Expect to be hit and prepare to survive but recognize that the adversary would rather take over your castle than DDOS it to the ground. The cardinal lesson of 9/11 should have been to respect the technological sophistication and organization of non-state actors.